Encapsulating Security Payload (ESP)

At the heart of ESP's confidentiality service lies symmetric key encryption—the mathematical machinery that transforms readable data into unintelligible ciphertext. Without the correct key, encrypted ESP payloads are computationally indistinguishable from random noise, protecting sensitive information even when packets traverse hostile networks.

But encryption in ESP is not merely about applying an algorithm—it's about understanding how cipher modes affect security, why key management matters more than algorithm choice, how to balance performance against protection strength, and what can go wrong when encryption is misconfigured.

This page explores ESP encryption from cryptographic foundations to practical implementation, equipping you with the knowledge to configure, evaluate, and troubleshoot encrypted VPN tunnels.

ESP uses symmetric key encryption, where the same secret key is used for both encryption (at the sender) and decryption (at the receiver). This contrasts with asymmetric (public-key) encryption where different keys are used for each operation.

Why Symmetric Encryption for ESP?

Symmetric ciphers offer significant advantages for bulk data encryption:

1. Performance: Symmetric algorithms are orders of magnitude faster than asymmetric algorithms—critical when encrypting every packet at line rate

2. Efficiency: Key sizes are smaller (256 bits vs. 2048+ bits for equivalent security), reducing computational overhead

3. Streaming Capability: Symmetric ciphers can encrypt data incrementally without buffering entire messages

4. Hardware Acceleration: Modern CPUs include dedicated instructions (AES-NI) that accelerate symmetric encryption to near-native speeds

The Key Exchange Problem:

Symmetric encryption's challenge is key distribution—both parties must share the secret key securely before communication begins. IPSec solves this through IKE (Internet Key Exchange), which uses asymmetric cryptography to negotiate and derive symmetric keys securely over untrusted networks.

Block Ciphers vs. Stream Ciphers:

Symmetric ciphers fall into two categories:

Block Ciphers: Encrypt fixed-size blocks of data (e.g., 128 bits for AES)

• AES, 3DES, Blowfish
• Require mode of operation to handle arbitrary-length data
• Most ESP implementations use block ciphers

Stream Ciphers: Encrypt data bit-by-bit or byte-by-byte

• ChaCha20, RC4 (deprecated)
• Generate keystream that's XORed with plaintext
• Simpler but require careful nonce management

In practice, block ciphers in counter mode (AES-CTR, AES-GCM) behave like stream ciphers, combining block cipher security with stream cipher flexibility.

ESP supports multiple encryption algorithms, allowing deployments to select ciphers based on security requirements, performance constraints, and regulatory compliance. The choice of algorithm is negotiated during IKE Phase 2 (or IKEv2 CREATE_CHILD_SA).

The AES Family (Advanced Encryption Standard):

AES is the dominant cipher in ESP deployments, standardized by NIST after an open competition that evaluated security, performance, and implementation characteristics.

Key AES Characteristics:

• Block size: 128 bits (16 bytes)
• Key sizes: 128, 192, or 256 bits
• Structure: Substitution-permutation network (SPN)
• Rounds: 10 (AES-128), 12 (AES-192), 14 (AES-256)
• Status: No practical attacks; considered secure for foreseeable future

AES alone encrypts single 128-bit blocks. For ESP (which handles variable-length packets), AES must be used with a mode of operation that extends it to arbitrary-length messages.

ChaCha20-Poly1305:

ChaCha20-Poly1305 is a modern AEAD cipher gaining adoption in ESP (RFC 7634). Designed by Daniel Bernstein, it offers:

• Excellent software performance: As fast as AES-GCM even without hardware acceleration
• Mobile/IoT suitability: Great for devices without AES-NI
• Resistance to timing attacks: Constant-time implementation is straightforward
• 256-bit key only: Single key size simplifies configuration

Deprecated Algorithms:

Several legacy algorithms should be avoided:

• 3DES: Susceptible to Sweet32 attacks; 64-bit block size leads to birthday-bound attacks at ~32GB of traffic
• DES: 56-bit key; trivially breakable with modern hardware
• Blowfish: 64-bit block; similar birthday-bound concerns
• RC4: Multiple attacks; completely broken

Block ciphers like AES encrypt fixed-size blocks (128 bits). To encrypt arbitrary-length ESP payloads, we need modes of operation that extend the block cipher to handle messages of any length. The mode choice significantly impacts security, performance, and implementation complexity.

Cipher Block Chaining (CBC) Mode:

CBC was the traditional mode for ESP encryption (AES-CBC, 3DES-CBC).

Operation:

1. XOR first plaintext block with Initialization Vector (IV)
2. Encrypt the XOR result
3. XOR second plaintext block with first ciphertext block
4. Encrypt and repeat...

Characteristics:

• Each ciphertext block depends on all previous blocks (chaining)
• Requires random, unpredictable IV per packet
• Encryption is sequential (can't parallelize)
• Decryption can be parallelized
• Requires padding to block boundary

Counter (CTR) Mode:

CTR mode transforms a block cipher into a stream cipher by encrypting sequential counter values and XORing the result with plaintext.

Operation:

1. Concatenate nonce with counter (starting at 0 or 1)
2. Encrypt nonce||counter to produce keystream block
3. XOR keystream with plaintext block
4. Increment counter, repeat

Advantages:

• Fully parallelizable (both encryption and decryption)
• No padding needed (encrypt exactly the message length)
• Pre-compute keystream before plaintext arrives

Critical Requirement: The nonce+counter combination must NEVER repeat with the same key. Reuse reveals XOR of two plaintexts—catastrophic security failure.

Galois/Counter Mode (GCM):

GCM combines CTR mode encryption with Galois field authentication, providing Authenticated Encryption with Associated Data (AEAD) in a single operation.

Components:

• CTR encryption: Provides confidentiality (as described above)
• GHASH authentication: Galois field multiplication for integrity
• Combined output: Ciphertext + authentication tag

Why GCM Dominates Modern ESP:

• Single pass: Encrypt and authenticate simultaneously
• Hardware acceleration: AES-NI includes GCM-specific instructions (PCLMULQDQ)
• Strong security proofs: Well-analyzed construction
• Efficiency: Minimal overhead beyond raw encryption

ESP encryption keys are not configured directly—they're derived from keying material established during IKE negotiation. Understanding this derivation process is essential for troubleshooting key-related issues and ensuring adequate security.

The IKE Key Hierarchy:

IKE (Internet Key Exchange) establishes a hierarchy of keys:

1. SKEYSEED: Initial keying material derived from Diffie-Hellman exchange
2. SK_d: Key for deriving child SA keys
3. SK_ai/SK_ar: Authentication keys for IKE messages
4. SK_ei/SK_er: Encryption keys for IKE messages
5. ESP Keys: Derived from SK_d for each Child SA

ESP Key Derivation:

When an ESP SA is created, the following keys are derived:

• Encryption Key: Length depends on algorithm (16/24/32 bytes for AES-128/192/256)
• Authentication Key (if not AEAD): Length depends on HMAC algorithm
• Salt (for some algorithms): Fixed value mixed with IV

Key derivation uses a PRF (Pseudo-Random Function) to expand SK_d into the required key material:

KEYMAT = PRF+(SK_d, Ni | Nr | SPIi | SPIr)

Key Separation:

ESP uses separate keys for each direction of communication. The initiator and responder derive different keys for:

• Initiator → Responder encryption
• Responder → Initiator encryption
• Initiator → Responder authentication (if applicable)
• Responder → Initiator authentication (if applicable)

This separation ensures that compromising one direction's keys doesn't immediately compromise the other direction.

Perfect Forward Secrecy (PFS):

With PFS enabled, each Child SA performs a new Diffie-Hellman exchange to derive fresh keying material. Without PFS, all Child SA keys derive from the original IKE SA's DH exchange.

With PFS:

• Compromise of one SA's keys doesn't reveal other SAs' keys
• Higher security but additional computational overhead
• Recommended for high-security deployments

Without PFS:

• Slight performance improvement
• If IKE SA keys are compromised, all Child SA keys are derivable
• Acceptable for many deployments with strong IKE SA protection

When an ESP endpoint encrypts a packet, it executes a precise sequence of operations. Understanding this process helps diagnose encryption failures and optimize implementations.

ESP Encryption Workflow (AES-GCM):

Step 1: Prepare Payload

• Assemble data to encrypt: Original packet (tunnel) or upper-layer data (transport)
• Append ESP trailer: Add padding, pad length, next header

Step 2: Construct Nonce

• Combine salt (from SA, 4 bytes) with explicit IV (8 bytes, typically sequence number or counter)
• Result: 12-byte nonce for GCM

Step 3: Assemble Associated Data (AAD)

• AAD = ESP header (SPI + Sequence Number)
• This data is authenticated but not encrypted

Step 4: Encrypt and Authenticate

• Input to AES-GCM: Key, Nonce, Plaintext, AAD
• Output: Ciphertext, Authentication Tag (ICV)

Step 5: Construct ESP Packet

• Concatenate: ESP Header + IV + Ciphertext + ICV
• Prepend outer IP header (tunnel mode) or original IP header (transport mode)

Decryption Workflow:

The receiver performs the inverse process:

1. Parse ESP Header: Extract SPI and Sequence Number
2. Lookup SA: Find matching SA in SAD using SPI + destination IP
3. Verify Sequence Number: Check against anti-replay window
4. Reconstruct Nonce: Combine SA salt with received IV
5. Verify and Decrypt: AES-GCM authenticates then decrypts
   • If authentication fails: Discard silently
   • If authentication passes: Obtain plaintext
6. Remove Trailer: Read pad length, strip padding
7. Process Payload: Pass to upper layer (transport) or IP stack (tunnel)

ESP encryption must operate at line rate—potentially processing millions of packets per second without becoming a bottleneck. Modern implementations achieve this through hardware acceleration, parallelization, and careful algorithm selection.

Hardware Acceleration:

AES-NI (AES New Instructions): Intel and AMD processors include dedicated instructions for AES operations:

• AESENC, AESDEC: Single-round encryption/decryption
• AESKEYGENASSIST: Key expansion assistance
• PCLMULQDQ: Carry-less multiplication (for GCM's GHASH)

Performance Impact:

• AES-GCM with AES-NI: 3-10 Gbps per core (varies by processor)
• AES-GCM without AES-NI: 100-500 Mbps per core
• 10-30x improvement with hardware acceleration

Parallelization Strategies:

Multi-core Distribution:

• Distribute SA workload across multiple cores
• Hash incoming packets to cores based on SA (SPI-based hashing)
• Each core maintains subset of SA state
• Scales linearly with core count (up to practical limits)

Within-packet Parallelization:

• AES-GCM and AES-CTR allow parallel block encryption
• Pipelining: Process multiple blocks simultaneously
• SIMD: Wide vector instructions encrypt 4-8 blocks at once

Dedicated Hardware:

• Network Interface Cards with crypto offload
• FPGA-based encryption engines
• Dedicated security processors (QuickAssist, NITROX)
• 10-100+ Gbps throughput in dedicated silicon

Software Optimization:

• Avoid memory allocation in fast path
• Minimize cache misses (hot SA data structures)
• Use zero-copy techniques where possible
• Batch small packets for processing efficiency

Even strong algorithms can be rendered useless by configuration errors. Recognizing common misconfigurations helps ensure that encryption provides its intended protection.

1. Null Encryption (ENCR_NULL)

Some configurations accidentally or intentionally use null encryption, providing no confidentiality:

• Symptom: Packets authenticated but payload visible in captures
• Cause: Misconfigured proposal, legacy compatibility settings
• Fix: Explicitly require non-null encryption in proposals

2. Weak Algorithm Selection

Using deprecated algorithms that provide inadequate security:

• Examples: 3DES, DES, Blowfish, RC4
• Symptom: Passes interoperability tests but vulnerable to attacks
• Fix: Configure only modern algorithms (AES-GCM, ChaCha20-Poly1305)

3. Mismatched Algorithm Proposals

When initiator and responder support different algorithms, negotiation fails or falls back to weak algorithms:

• Symptom: SA establishment fails or uses weaker-than-expected cipher
• Cause: Asymmetric configuration between endpoints
• Fix: Ensure matching proposals on both ends; prioritize strong algorithms

4. Missing Perfect Forward Secrecy

Without PFS, compromise of IKE SA enables decryption of all past traffic:

• Symptom: Configuration appears correct but lacks resilience
• Cause: PFS not enabled in Child SA creation
• Fix: Enable PFS (DH group negotiation) for Child SAs

5. Improper Random Number Generation

Weak random numbers compromise IV generation and key derivation:

• Symptom: Patterns in IVs, predictable keys
• Cause: Exhausted entropy, poor PRNG seeding
• Fix: Ensure strong entropy sources; use cryptographic PRNGs

ESP encryption transforms readable data into protected ciphertext, enabling confidential communication across untrusted networks. Proper understanding of encryption mechanisms ensures secure, performant deployments.

What's Next:

With encryption covered, we'll examine ESP authentication mechanisms in detail. You'll learn how HMAC and AEAD authentication work, the importance of the Integrity Check Value, the relationship between encryption and authentication, and best practices for configuring authentication in ESP deployments.